CVE-2021-30181

CRITICAL

Apache Dubbo 2.5.0-2.6.8 and 2.5.0-2.7.8 - Remote Code Execution via Script Routing Rule Parsing

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-30181. PoCs published by shoucheng3.

AI-analyzed exploit summary The repository appears to be a fork or snapshot of the Apache Dubbo project without any exploit code or technical analysis related to CVE-2021-30181. It contains standard project files (e.g., .asf.yaml, GitHub templates) but no PoC, scanner, or writeup.

Description

Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code.

Exploits (1)

nomisec STUB

by shoucheng3 · poc

https://github.com/shoucheng3/apache__incubator-dubbo_CVE-2021-30181_2-6-8

View Code ZIP pw:eip

The repository appears to be a fork or snapshot of the Apache Dubbo project without any exploit code or technical analysis related to CVE-2021-30181. It contains standard project files (e.g., .asf.yaml, GitHub templates) but no PoC, scanner, or writeup.

Classification

Stub 90%

Attack Type

Other

Complexity

N/a

Reliability

N/a

Target: Apache Dubbo

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Mailing List, Vendor Advisory x_refsource_misc

https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.0387

EPSS Percentile 88.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published

Products (3)

apache/dubbo 2.5.0 - 2.6.10

com.alibaba/dubbo 2.5.0 - 2.6.9Maven

org.apache.dubbo/dubbo 2.5.0 - 2.7.10Maven

Published Jun 01, 2021

Tracked Since Feb 18, 2026